Business e-banking and the 6-figure password

On Monday, Security Fix featured the story of Ronnie Cutshall, a Tennessee man who was caught up in an international money laundering scam after being recruited through a work-at-home job offer. That story mentioned that Cutshall received a $9,600 transfer from a company called American Realty, but that I didn't have any luck in tracking down the victim company. Today the American Realty company affected by that scam contacted me after reading my story (turns out they're located in Shalimar, Fla., not Georgia, as I had previously thought). A few weeks ago, an American Realty employee clicked a link in an e-mail scam that spoofed an IRS alert about unreported income. The Web site linked to in that message quietly installed a password-stealing Trojan horse program named Zeus. From there, the perpetrators were able to swipe the company's online banking credentials, and initiate unauthorized payroll payments to Cutshall and about 20 other individuals. In all, the hackers transferred $195,000 out of American Realty's bank account. So far, the company has retrieved just $45,000 of the stolen money. Denny Naugle, operations director at American Realty, said the company is drafting papers to sue their bank. "The bank said it detected that this was likely fraud, but they let the transfers go through anyway," Naugle said. "They're saying it's our fault because we gave our password information away." Companies that bank online enjoy few of the protections afforded to consumers. Individuals who have their online bank account cleaned out because of a password-stealing computer virus usually are made whole by their bank (provided they don't wait more than 10 business days before reporting the fraud). Businesses often are not so lucky and must take losses. I think the following anecdotes explain the difference nicely. When a consumer wants to do online banking, the bank says, "Thanks for banking with us. And don't worry: We will put your money back in our super-secure vault. Even if somebody should break in and rob the place, your money will still be safe because it's protected by armed guards, and six inches of steel. But even if they get past all of those protections and steal cash from the vault, we'll replace any money that was yours." In contrast, when businesses bank online, the unspoken message from many financial institutions is: "Thanks for banking with us. And don't worry: We'll keep your money here in our super-secure vault. Oh, and by the way, here's a key to that vault. Just make sure you don't lose it." It's probably worth noting that the FBI published an alert Wednesday warning businesses about a significant increase in this type of fraud. The alert references an intelligence note published by the FBI's Internet Crime Complaint Center (IC3), which states that as of October 2009, there has been approximately $100 million in attempted losses. This is a bit higher than previous estimates: Last month, the FBI told Security Fix it was aware of just $85 million in attempted fraud, and $40 million in actual losses. Have a question about these scams or anything else security- or tech-related? Join me at 11 a.m. Friday for another Security Fix Live online chat. Can't make it then, or can't wait to submit your question? No problem: Drop it in the queue right now. Update, 4:23 p.m. ET: Added a mention of and link to the IC3's fraud loss estimates.